Predictable Cookie Session IDs

Similar Messages

• Cookie session information not being stored

  I consulted the documentation on cookie sessions ids for flex
  and tried the sample code below but it does not work. It always
  acts as if the data never gets stored (it always goes to the size
  == 0 case for initialization). I double checked the Flash Player
  settings and they are set up to store 100KB. What could be causing
  this to fail?

  Im working with a sort of cookie
  [Bindable]
  public var sharedObjectData:SharedObjectData =
  SharedObjectData.getInstance();
  private function initApplication():void
  sharedObjectData.locallyStoredObject =
  SharedObject.getLocal("sampleData");
  if(sharedObjectData.locallyStoredObject.data.userStatus ==
  null)
  else
  currentState = "loggedIn";
  name_text.text =
  sharedObjectData.locallyStoredObject.data.userStatus;
  This works fine for me

• J2EE session variables & Non Random Session IDs

  Our server keeps failing our PCI compliance test due to the Session ID's being non random.
  Description: Web Server Uses Non Random Session IDs       Synopsis: The remote web server generates predictable session IDs.      Impact: The remote web server generates a session ID for each connection.  A session ID is typically used to keep track of the actions of a user while he visits a web site.  The remote server generates non-random session IDs.  An attacker might use this flaw to guess the session IDs of other users and therefore steal their session.  See also : http://pdos.csail.mit.edu/cookies/seq_sessionid.html        Data Received: Sending several requests gives us the following session IDs : CFID=896744 CFID=896745 CFID=896746 CFID=896747 CFID=896748      Resolution: Configure the remote site and CGIs so as to use random session IDs.       Risk Factor: Medium/ CVSS2 Base Score: 6.4       AV:N/AC:L/Au:N/C:P/I:P/A:N
  We are using J2EE session variables which I though was the more secure option. Is there something else you have to do to guarentee that the Session ID's are non random or is this the Compliance test picking up on a false positive?
  P.S. It's a recent migration to CF10, don't know if that has anything to do with it.

  Personally, I use the client scope instead of the session scope so that I don't have to worry about sticky sessions.  That has always worked out nicely for me.
  I read that article you referenced, and it's got some interesting stuff.  In particular, I have seen the client scope database tables not purge as they're supposed to.  And the stuff about preparing, executing, and then unpreparing SQL statements on each request is alarming, if true.
  However, I have to say that I have never, ever, ever, ever had performance issues due to client variables.  Not once.  Whatever performance hit my application may incur from using client variables has, to this point, been completely dwarfed by the performance of the application itself.  And, c'mon, the stuff about being lazy because you don't want to spend precious engineering time worrying about something like session management (which is never going to add value to your product) rather than coding something actually useful to your end users...that seems overly harsh to me.
  I completely agree that storing client vars in the Windows Registry is bananas, as is the defualt 90 day purge limit (though as of CF 9.0.whatever, the default is 1 day, 7 hours, so clearly they've made some changes since this article was written).  But I'm loathe to throw away client-based management.
  I think, getting back to the issue at hand, that this may be a false positive.  CFID is sequential, but CFTOKEN is not; that should really be the end of the story.  I'll see if McAfee will listen.  (-;

• How to invalidate session ids

  dear all ,
  Any knows how to invalidate the session ids .
  Ex . Server maintains maintains many client session ids
  I want invalidate those client session ids ,,,'

  There are several cases when a session is invalidated:
  1. when the time specified in web.xml elapsed (session-timeout tag) - this is specified for the entire server
  2. when using session.setMaxInactiveInterval. specs:
  "Specifies the time, in seconds, between client requests before the servlet container will invalidate this session."
  3. when you call session.invalidate() specs: " Invalidates this session then unbinds any objects bound to it." With this, the session is immediately invalidated.

• ALC-UPG-221-002: Errors while migrating archive session Ids.

  I am doing an out of place upgrade from ES2 to ES4.  I have run the Turnkey ES4 upgrade, installed SP1, copied the GDS from the old location to the new location and run Configuration Manager.  When I get to the "Perform
  critical tasks before component deployment" screen and click the Start button I get this error:
  10:07] ALC-UPG-002-505: Disabling UserManager synchronization.
  [10:07] ALC-UPG-001-501: Executing [Application Manager] plugin ...
  [10:07] ALC-UPG-001-503: [Application Manager] plugin execution failed, error message from plugin is [ALC-UPG-221-002: Errors while migrating archive session Ids.].  See LCM logs for details.
  [10:07] ALC-UPG-002-506: Enabling UserManager synchronization.
  The LCM log has this:
  [2014-08-06 10:32:58,555], INFO, AWT-EventQueue-0, com.adobe.livecycle.upgrade.gui.UpgradePhaseDialog, ALC-UPG-002-505: Disabling UserManager synchronization.
  [2014-08-06 10:32:58,560], INFO, Thread-32, com.adobe.livecycle.lcm.feature.lcServer.LCServerConnector, LC Connection properties: {DSC_DEFAULT_SOAP_ENDPOINT=http://localhost:8080, DSC_TRANSPORT_PROTOCOL=SOAP, DSC_CREDENTIAL_PASSWORD=********, DSC_REQUEST_TIMEOUT=1200000, DSC_CREDENTIAL_USERNAME=administrator, }
  [2014-08-06 10:32:58,560], INFO, Thread-32, com.adobe.livecycle.lcm.feature.lcServer.LCServerConnector, Validating connection...
  [2014-08-06 10:32:59,961], SEVERE, Thread-32, com.adobe.livecycle.upgrade.control.PhaseRunner, Aborting.  Invocation of method [configurePreDeploy] failed for com.adobe.livecycle.upgrade.plugins.from9xto100.applicationmanager.Upgrade9xTo100Applicat ionManagerPlugin.  Caught com.adobe.livecycle.upgrade.UpgradeException, message: ALC-UPG-221-002: Errors while migrating archive session Ids.
  com.adobe.livecycle.upgrade.UpgradeException: ALC-UPG-221-002: Errors while migrating archive session Ids.
  at com.adobe.livecycle.upgrade.plugins.from9xto100.applicationmanager.Upgrade9xTo100Applicat ionManagerPlugin.configurePreDeploy(Upgrade9xTo100ApplicationManagerPlugin.java:110)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:606)
  at com.adobe.livecycle.upgrade.control.PhaseRunner.run(PhaseRunner.java:244)
  at java.lang.Thread.run(Thread.java:724)
  [2014-08-06 10:33:01,763], INFO, AWT-EventQueue-0, com.adobe.livecycle.upgrade.gui.UpgradePhaseDialog, ALC-UPG-002-506: Enabling UserManager synchronization.
  Nothing tells what the errors are.

  Dear Pallavi,
  Very useful post!
  I am looking for similar accelerators for
  Software Inventory Accelerator
  Hardware Inventory Accelerator
  Interfaces Inventory
  Customization Assessment Accelerator
  Sizing Tool
  Which helps us to come up with the relevant Bill of Matetials for every area mentioned above, and the ones which I dont know...
  Request help on such accelerators... Any clues?
  Any reply, help is highly appreciated.
  Regards
  Manish Madhav

• List all active login sessions IDs

  Hi,
  I want to enumrate all active login sessions for session IDs. I found some api SessionGetInfo which gives current user
  session ID. and getutmpxent which gives process id of (as i understand id of process creating session) all sessions. I
  want to map pid to session id. or is there any other way to list the session IDs of all logged in users.
  Thanks.

  Hi Nagendra,
  You can get the informamtion through one more option also. In case of function module you need to execute the module again and again for each user or may be need to write a report. I would like to suggest you an alternative. That is making use of queries.
  1. Go to transaction SQVI.
  2. In the input field Quick View give the any name for query for example Z_EMAIL_ADD.
  3. Choose create option. In the resulting pop up give description in Title field. In data source choose TABLE JOIN. Select Basis mode.
  4. In the next screen choose INSERT TABLE pushbutton and in the pop up give USR21. Then again choose INSERT TABLE pushbutton and this time give ADR6.
  5. Now go back using back arrow or F3.
  6. Now in the new screen you will be under the tab strip List fld select.. From that entries under available filed (on right hand side) select User name in user master record and the first entry for Internet mail (SMTP) address. Now using single arrow pushbutton poitning towards left move these fields to tabstrip List fld select.
  7. Now go to tabstrip selection filed. As done in step 6 move User name in user master record under it.
  8. Save the changes and go back. A pop up will come asking you to save quick view Z_EMAIL_ADD. Choose yes.
  9. Now execute the query. In the input field you can give one user or multiple users at a given time.
  Regards,
  Rajesh

• Cookie session

  Hello
  i am a litter new to coldfusion, I have just finish my first web site (using CF8 and MySql5)
  My hosting server doesn’t enable session on CF8 plans (only on CF9)
  I want to login users securely so they can edit or delete their Add
  So I am obliged to upgrade to CF9 or use cookie session instead of CF or J2EE session
  If any one has an idea how to login user using cookie session
  If is it possible to give example code
  Thank you very much

  Hi,
            Try two different browser products. IE and Netscape ??
            Actually I feel url re-writing should work with multiple instances of same
            browser product.
            -Kuntal.
            Somasundaram wrote:
            > Dear Group,
            >
            > I am trying this simple click count jsp based on sessions. It works ok with
            > a single browser instance. But when i have multiple instances of the browser
            > from the same vendor, the session seems to be shared between these too
            > instances (because of cookie based session and cookie files are shared
            > between browser instances, i guess.). Trying to get separate sessions for
            > each browser instance. Tried disabling cookie based session and enable
            > URLRewriting based session. Nothing seems to work. Session is not maintained
            > and a new session is created for every access of the same JSP. Please
            > help...
            >
            > Thanks & Regards
            > Somasundaram
            >
            > --
            > -----------------------------------------------------
            > | E-mail: [email protected]
            > |
            > -----------------------------------------------------
            

• Database Session IDs

  I've tried finding an answer and it seems simple enough but I was wondering if anybody could help with the following:
  -It might help that what I have in mind is creating a staging table that stores a session id and a couple other columns. A final procedure is called in the end that takes the data from the staging table and inserts into another based on the session id and another column and deletes it from the staging table. I'm a little concerned that that if an error occurs in one the prior procedures that data will not be cleaned up. My thought was to create a shell script that ran every so often that will remove any entries deemed to be over a certain time limit. However, it got me thinking about sessions ids and if it is possible that a session id could be used again. It would cause a problem if the there was an error and the script hadn't run yet and the session id was reused again. Therefore my questions below.
  Are Session IDs unique?
  Are Session IDs reused?
  If so, is there a general rule of thumb of how frequently they could be used again?
  Any help would be appreciated.
  Thanks

  First, what, exactly do you mean by "Session ID"?
  If you mean SID (from v$session), yes, SIDs are reused all the time. The combination of SID and SERIAL# from V$SESSION is generally unique enough. It will be reused, but on a much longer time scale.
  If you mean SYS_CONTEXT('USERENV','SESSIONID'), the auditing session identifier, that should be unique assuming it is populated (it is not populated for SYS sessions, for example).
  If you mean something else, you'll have to be a bit more specific.
  Justin

• Session Ids

  Hi,
  How do I store the session ids of the stateful session beans.Their type is void.How can I persist them in the local database?
  Regards
  Bhavana

  HI
  GOOD
  GO THROUGH THIS LINK,I HOPE THIS WILL GIVE YOU SOME IDEA TO SOLVE YOUR PROBLEM
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/56fbae90-0201-0010-518d-a256d833508e
  http://wendtstud1.hpi.uni-potsdam.de/sysmod-seminar/SS2005/elaborations/02_Clustering-Concept_of_the_SAP_web_AS.pdf
  http://www.ssw.uni-linz.ac.at/Teaching/Lectures/SpezialLVA/Loeffler/SS2005/j2ee_introduction_and_practice.pdf
  THANKS
  MRUTYUN

• Save cookie/session after login on web service client

  I am calling a web service that has a login method. It sets a session id in
  a cookie. Every subsequent call fails and says I'm not logged in. How do I
  save their cookie or session ID such that the server thinks I'm logged in?
  Here's the client code (I used clientgen to create jar from wsdl);
  DatashareManager dsm = new DatashareManager_Impl();
  WebServiceContext wsContext = dsm.context();
  WebServiceSession session = (WebServiceSession)wsContext.getSession();
  DatashareManagerSoap dsmsoap = dsm.getDatashareManagerSoap();
  String result = dsmsoap.login("username", "password"); // this works
  EResult result2 = dsmsoap.deleteReusableList(1, "bob"); // this fails 'Not
  logged in'

  That sounds like a difficult one to implement because you'll essentially need to intercept the AppsLogin servlet (or AppsLocalLogin.jsp) to conditionally redirect the user somewhere else - and that would be an intrusive (and not recommended) customization.
  Some possible alternatives:
  1. Rather than publish http://hrlive.myintranet.local:8000/OA_HTML/AppsLogin as the URL that you users connect to, publish something like http://hrlive.myintranet.local:8000/OA_HTML/XxLogin.jsp instead. That could be a custom JSP that asks the user to agree to the disclaimer and, when they agree, store that agreement in a cookie and then redirect to AppsLogin.
  That's not quite the same because you're asking the user to agree before they login. It also means that they can navigate direct to AppsLogin and bypass the disclaimer (unless you customize AppsLogin to verify the cookie).
  2. Assign all users a default 'Disclaimer' responsibility with a single function (such as an EIT, or a custom OA Framework page) that allows the user to agree to agree to the disclaimer. Then once they've agreed to it have some process that automatically grants them their real responsibilities and revokes the Disclaimer responsibility. For example, if you used an EIT that could be an API User Hook.
  One problem with this approach is that you'll need to clear cache through Functional Administrator before the new responsibilities are visible so you'll either need to find a way of doing that programatically or ask the user to wait until tomorrow (assuming you do a nightly web server bounce).

• CSM inserted cookie - session or persistant

  Hi,
  I am working on a requirement to load balance http requests to IBM WebSphere Application servers. Each server is configured on the CSM as one real server, but in reality there are several instances of the program running within the server. These instances are fault tolerant, so that if one of them should fail, another instance within the same server can take over and maintain the session. We currently stick clients based on the jsessionid. The problem with this is that if the instance within the server fails and another takes over, it will use a different cookie, and the stickyness is lost. Our requirement is to maintain stickyness to the same real server should an instance of the application fail. We have tried using the HTTP cookie insert feature, but this appears to be a persistant cookie that expires in 2010. We need this to be a session cookie (expires when the client's browser closes). I have seen this URL - http://www.cisco.com/en/US/partner/products/hw/switches/ps708/module_installation_and_configuration_guides_chapter09186a0080463841.html#wp1050708 which states that the CSM-S module will insert a session cookie. I know that the CSM inserts a persistant cookie. Can anyone tell me whether the cookie inserted by the CSM-S module is definitely a session cookie or not. Also, does anyone have any ideas as to how else I can resolve this issue. Many thanks in advance

  The browser itself controls if it wants to keep a copy of the cookie for the session only if it want to save it.
  The only thing the server, or CSM, can do is set an expiration date.
  You can change the expiration to another static date if you think 2010 is too far away.
  This is done with a variable.
  Do a 'sho mod csm x var' to see which variable it is.
  CSM-S is just a CSM with an on-board SSL module. So they act the same in this matter.
  Also, even if it was a "session" cookie, I do not see how it would solve your issue.
  If the client comes back with no cookie, it will not be sent to another instance of the same server - it will simply be loadbalanced among all the available servers.
  What you would need is more like a cookie shared by all instances of the application on a particular server.
  Then the CSM could match on the cookie to select a serverfarm that would only use instances running on this server.
  Do you have the possibility to insert a static cookie in your application ?
  Gilles.

• Cookie session question

  I wan't to know how to maintain session or cookie in a wap application.
  As far as I know wap doesn't support(certainly current version) cookie.
  my scenario is user login(i wan't to save its user id in the session)
  He choose a brand then category then sku then enter sales from a input box.
  I wan't tosave the sale with userid(i don't wan't to pass user id to each page)
  So what can i do.
  Please help as I am a new bie to WAP

  woah, really? so would my best bet be to use a java
  -> com bridge and then just re-login using that?Errr.
  Okay here is the issue.
  The browser should only send cookies back to the server (or domain actually) from whence they (the cookies) originally came. This prevents a malicious site from reading cookies set by other sites which is good for all sorts of reasons. Imagine for a moment if I could send you to a site where I could read the cookies set on this site. I could pretend to be logged in as you then.
  So ultimatley if you want the browser to have a cookie it will send to a site it has to get it from that site in the first place and it shouldn't be getting it from somewhere else aka your code.
  Does this help explain it better?

• How can i get list of Session Ids or SessionObjects present in appl server

  hi,
  i want to explicitly kill the sessions of the logged in persons from an application server instead of we waiting for the server to invalidate them once their time is out.
  can i get the list of all the session object avaliable in the sever at that perticular moment?
  regards
  sowjanya

  Hi!
  1.getIds() in javax.servlet.http.HttpSessionContext
  can be used but it is Deprecated.
  2.getIds() in javax.net.ssl.SSLSessionContext
  Returns an Enumeration of all session id's (you cant use this in this case)
  also in weblogic(BEA)change request No: CRS 45879 and 47878:
  supports methods like:
  public static boolean invalidateAll(HttpServletRequest req);
  check out there.
  Thanks,
  Ramu

• How to track session IDs for multiple apps in same server instance?

  All:
  We have 2 web applications (for example: app1,app2) running in one app
  server instance (weblogic 5.1). Both of those applications use the same
  cookie name (defined in weblogic.properties ) to keep the HttpSessionID.
  The tricky thing is that if a client logs in to app1 and then logs in to
  app2 with the same web browser, (for example, IE). The app1's
  HttpSessionID kept in the cookie will be overwritten by app2's
  HttpSessionID because they use the same cookie name.
  My question is this:
  Is there a way to specify a cookie name for each application running in
  an application server instance?
  The only way we know of to work around the problem is that we have to
  host the app1 and app2 in 2 different app server instances so we can
  config app1 and app2 to use different cookie names for the
  HttpSessionID. We are curious if there is a better way to do that.
  BTW, We must use Cookie because of the requirement of cluster and load
  balancer.
  Thanks,
  Ben

  Hi Ben,
  Which version of Weblogic are you using??
  In 5.1 sp8 the Cookie names of the Web Apps are different by default.
  Prasad Peddada <[email protected]> wrote:
  Why can't you add your own cookie?
  In 6.0 you can have different cookie names for different
  apps.
  -- Prasad
  "Benjamin D. Engelsma" wrote:
  All:
  We have 2 web applications (for example: app1,app2)running in one app
  server instance (weblogic 5.1). Both of those applicationsuse the same
  cookie name (defined in weblogic.properties ) to keepthe HttpSessionID.
  The tricky thing is that if a client logs in to app1and then logs in to
  app2 with the same web browser, (for example, IE). The app1's
  HttpSessionID kept in the cookie will be overwrittenby app2's
  HttpSessionID because they use the same cookie name.
  My question is this:
  Is there a way to specify a cookie name for each applicationrunning in
  an application server instance?
  The only way we know of to work around the problem isthat we have to
  host the app1 and app2 in 2 different app server instancesso we can
  config app1 and app2 to use different cookie names forthe
  HttpSessionID. We are curious if there is a better wayto do that.
  BTW, We must use Cookie because of the requirement ofcluster and load
  balancer.
  Thanks,
  Ben

• How to know/predict the HTML IDs generated on the dashboard??

  Hi Experts,
  I created a dashboard, and kept a prompt on it. The prompt is as shown: [http://www.imageping.com/out.php/i71495_tempprompt.jpg]
  I examined the HTML code for this prompt, and for Year drop down it looks like:
  Nicolae Ancuta wrote:
  <td sid="saw_22_6" gfpbuilder="{ GFPBuildFilter('\x22D0 Time\x22.\x22T05 Per Name Year\x22','in','drop',null,'',document.getElementById('saw_22_6').value); }" class="GFPFilter">span style="" class="GFPCaption">Year:</span><br>span style="" class="GFPControl">select onchange="" id="saw_22_6" name="saw_22_6">option selected="" value="*)nqgtnone(*"></option>option value="2006">2006</option>option value="2007">2007</option>option value="2008">2008</option>option value="2009">2009</option></select></span></td>
  Sorry I am unable to show the full code: In the html I observed id="saw_22_6".
  My main point of interest is about the id="saw_22_6"
  Now i have 4 questions:
  How is it generated?
  Is it generated by SAW server?
  Is there any way that I can predict that ID?
  Is there any way that I can force the server to put my own value into that ID?
  Thanks,
  OBIEE-N-Co

  Hie.
  I launch IE manually, then I launch my application. I know, that's not very effective. But that's the only way I've found to launch specifically IE6 when several versions or browsers are installed. By the way, any suggestions to improve this is welcome !
  Thanks for the idea of writing a proxy, I'll seek the web to learn how to do, since it's the first time I'll write such a component but I think that's a very good idea.
  This suggestion raised another question in my mind: Is that possible to launch a java application as a service ? I'll look after that seeking the web, but if you tell me it's impossible, that will for sure shorten my job.
  Anyway, many thanks for your help.